Data Breaches: A Year in Review

There are hundreds of ways that a consumer's personal
information may be lost, stolen or exposed.
An employee may lose a laptop, hackers may download credit card numbers
or sensitive personal data may be accidentally exposed online.

Privacy Rights Clearinghouse has been tracking breaches
since 2005 and publishes a Chronology
of Data Breaches. The Chronology counts the number of records leaked that
contain information useful to identity thieves, such as Social Security
numbers, financial account numbers, driver's license numbers – and in some
states, medical information.

2011 was a significant year for data security, with some of
the biggest data breaches in our history reported. So far in 2011, we’ve
tracked 535 breaches involving 30.4 million sensitive records. This brings the
total reported records breached in the U.S. since 2005 to the alarming number
of 543 million.

"This is a conservative number," says Director
Beth Givens, "We generally learn about breaches that garner media
attention. Unfortunately, many do not. And, because many states do not
require companies to report data breaches to a central clearinghouse, data
breaches occur that we never hear about. Our Chronology is only a
sampling."

Data breaches of sensitive information, especially Social
Security and credit card numbers, make consumers vulnerable to identity theft.
According to a 2009 report by Javelin Research & Strategy, individuals are four
times more likely to be the victim of identity theft in the year after
receiving a data breach notification letter. But even breaches that contain
data as seemingly innocuous as names and email address can be used by
fraudsters to trick consumers into revealing information that can lead to
identity theft.

Unfortunately, it is virtually impossible for individuals to
protect themselves from a data breach. It is up to organizations that
collect data on consumers to take the steps to ensure the privacy and security
of the data they collect and maintain.

The following half dozen are our top picks for the most significant
data breaches in 2011:

Sony
PlayStation (April 27) – Sony discovered an external
intrusion on PlayStation Network (PSN) and its Qriocity music service around
April 19. Sony blocked users from playing online games or accessing services
like Netflix and Hulu Plus on April 22. The blockage lasted for seven days. Sony
believes criminal hacker(s) obtained names, addresses, email addresses, dates
of birth, PSN/Qriocity password and login, and online IDs for multiple users.
The attacker may have also stolen users' purchase history, billing address, and
password security questions. Over the course of the next several months, Sony
discovered that the hackers gained access to 101.6 million records, including
12 million unencrypted credit card numbers. A concise history of
the Sony hacks can be found here.

The Sony breach highlights the
importance of password hygiene. Passwords are frequently the only thing
protecting our private information from prying eyes. Many websites that
store your personal information (for example web mail, photo or document
storage sites, and money management sites) require just a user name and
password for protection. Password-protected web sites are becoming more
vulnerable because often people use the same passwords on numerous sites.
One study
by Sophos, a security firm, found that more than 30% of users recycle the
same password for every site that they access. In this case, the stolen
passwords were unencrypted, meaning the criminal could potentially "break
in" to other sites if the victims used the same password more than once.

Epsilon (April
2) – Epsilon, an email service provider for companies, reported a
breach that affected approximately 75 client companies. Email addresses
and customer names were affected. Epsilon has not disclosed the names of the
companies affected or the total number of names stolen. However, millions
of customers received notices from a growing list of companies, making this the largest security
breach ever. Conservative estimates place the number of customer email
addresses breached at 50 to 60 million. The number of customer emails
exposed may have reached 250 million.

Compromised email addresses and names may
seem innocuous to some, but victims may fall prey to spear phishing.
Spear phishing occurs when a criminal sends an email that sounds and looks like
it’s from a company the recipient has an account with because it addresses him
or her by name. A spear-phishing message might say, "Hello Mr. Anderson, Because of the
recent hacking incident affecting some Acme customers, we are asking you to
visit this website [URL provided] and update your security settings.” The email
tries to convince trusting readers to “bite” on the bait and go to that
website, and then divulge other information like Social Security numbers and
credit card numbers. The result could be as serious as identity theft.

The Epsilon breach is also significant
because it highlights the risk of cloud-based computing systems and the need
for greater cloud security measures.

Sutter Physicians Services (SPS) and Sutter
Medical Foundation (SMF) (Nov. 16) -
A company-issued desktop computer was stolen from SMF's administrative offices
in Sacramento, California, during the weekend of October 15th. Although
the data was password protected, it was not encrypted. Approximately 3.3
million patients whose health care provider is supported by SPS had their
names, addresses, dates of birth, phone numbers, email addresses, medical
record numbers and health insurance plan name exposed. An additional 934,000 SMF patients had dates of services and description of medical diagnoses and/or procedures used for business operations, bringing the total to 4.2 million patients. At least two lawsuits have been filed
against Sutter Health. One class-action suit alleges that Sutter Health
was negligent in safeguarding its computers and data, and then did not notify
the millions of patients whose data went missing within the time required by
state law.

The security lapse occurred on two
levels: both the data itself (being unencrypted) and the physical location
(stored in an unsecure location). Although no Social Security numbers or
financial information were apparently exposed, all the data elements needed for
medical identity theft were included in the stolen records.

Texas
Comptroller's Office (April 11) – Information
from three Texas agencies was discovered to be accessible on a public server.
Sometime between January and May of 2010, unencrypted data was transferred from
the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC)
and the Employees Retirement System of Texas. It ended up on a state-controlled
public server as early as April 2010 and was not discovered until March 31,
2011. Sensitive information such as names, Social Security numbers, addresses,
dates of birth and driver's license numbers could have been exposed.

A
spokesperson from the Texas Comptroller's Office claims that the breach
occurred because numerous procedures were not followed. Some employees
were fired for their roles in the incident. Approximately two million of the
3.5 million individuals possibly affected were unemployed insurance claimants
who may have had their names, Social Security numbers and mailing addresses
exposed. The birth dates and driver's license numbers of some of these
people were also exposed. Two class action lawsuits have been filed on behalf
of the 3.5 million Texans affected by the breach. One such lawsuit seeks a
$1,000 statutory penalty for each individual.

Although all breaches of sensitive personal information are serious, the Texas Comptroller breach is particularly significant because individuals generally do not have a choice when providing personal information to a government agency. It is therefore vitally important that government agencies act as responsible stewards of personal data.

Not only was Health Net the first
massive medical breach of the year, but the company waited three months before
notifying affected individuals. The servers were discovered missing in January,
but policyholders were not notified until March. The breach highlights the
importance of timely notification.

Tricare
Management Activity, Science Applications International Corporation (SAIC)
(Sept. 30) - The car theft of
backup tapes resulted in the exposure of protected health information from
patients of military hospitals and clinics. Uniformed Service members,
retirees and their families were affected. Patient data from the military
health system dating from 1992 to September 2011 could have been compromised.
It included Social Security numbers, addresses, phone numbers, clinical notes,
laboratory tests, prescriptions, and other medical information. Four
people have filed a $4.9 billion lawsuit over the improper disclosure of active
and retired military personnel and family data. The lawsuit would give
$1000 to each of the affected individuals. SAIC reported that 5,117,799
people were affected by the breach.

The Tricare/SAIC breach is significant because not only are the victims
at risk of medical identity theft, but financial identity theft as well. The
breach begs several questions: Why were the backup tapes being transported in
an employee’s personal vehicle? And why were those records not encrypted? This
breach also illustrates the triple impact of medical breaches. Victims not only
suffer the exposure of their sensitive health information; they also are
vulnerable to financial identity theft as well as medical identity theft.

It is also significant that two out of six of our top breaches are
medical breaches. Data breaches in the healthcare industry are up
32 percent over last year, according to one report. Medical breaches are particularly significant
and harmful because of the sensitivity of personal information exposed, in
addition to, often, Social Security numbers and dates of birth.

These breaches
highlight some important lessons, among them: The need for strict privacy and
security policies; the importance of
data retention policies; and the need for data to be encrypted. Most data
breach notification laws have exceptions for encrypted data because stolen data
is generally unreadable by prying eyes if encrypted.